Privacy Rule - SS - FINAL - 2017

Privacy Rule - SS - FINAL - 2017.pdf

Privacy of Consumer Financial Information (Gramm-Leach-Bliley Act Privacy Rule)

OMB: 3084-0121

⚠️ Notice: This form may be outdated. More recent filings and information on OMB 3084-0121 can be found here:

Document [pdf]

Download: pdf | pdf

Supporting Statement for the Privacy of
Consumer Financial Information Rule
16 CFR § 313
(OMB Control No. 3084-0121)
(1) & (2)

Necessity for and Use of the Information Collection

The Gramm-Leach-Bliley Act (“GLB Act” or the “Act”), Pub. L. No.106-102, 113 Stat.
1338 (November 12, 1999), permits banks to affiliate with firms engaged in insurance, securities,
and other financial activities. Title V, Subtitle A of the GLB Act (“Subtitle A”) provides certain
privacy protections to consumers. The Federal Trade Commission (“FTC” or “Commission”) is
charged with prescribing rules as necessary to implement the provisions of Subtitle A as to those
entities over which the Commission has enforcement jurisdiction. 1 Accordingly, the
Commission promulgated the Privacy of Consumer Financial Information Rule (also known as
the “Rule” or the “GLB Privacy Rule”).
As mandated by the GLB Act, the Rule implements consumer disclosure requirements
that are subject to the provisions of the Paperwork Reduction Act, 44 U.S.C. Chapter 35
(“PRA”). 2 The required disclosures are: (1) initial notice of the financial institution’s privacy
policy when establishing a customer relationship with a consumer and/or before sharing a
consumer’s non-public personal information with certain nonaffiliated third parties; (2) notice of
the consumer’s right to opt out of information sharing with such parties; (3) annual notice of the
institution’s privacy policy to any continuing customer; and (4) notice of changes in the
institution’s practices on information sharing. The Rule does not include recordkeeping
requirements.
The Rule’s requirements are designed to ensure that customers and consumers, subject to
certain exceptions, will have access to the privacy policies of the financial institutions with
which they conduct business. The privacy policies must state: (a) the categories of nonpublic
personal information the financial institution collects; (b) the categories of nonpublic personal
information the financial institution discloses; (c) the categories of affiliates and nonaffiliated
third parties to whom the financial institution discloses such information; and (d) the financial
institution’s policies and practices with respect to protecting the confidentiality, security, and
integrity of the information. In certain situations, consumers will also be informed of the means
by which they can opt out of financial institution sharing of their nonpublic personal information
with nonaffiliated third parties.

15 U.S.C. §§ 6804, 6805. Other agencies were also required to issue rules with respect to those entities
over which they have enforcement jurisdiction. For example, the Bureau of Consumer Financial Protection
issued Privacy of Consumer Financial Information (Regulation P), 12 CFR § 1016, which applies to
depository institutions and many non-depository institutions. See 76 Fed. Reg. 79,028 (Dec. 21, 2011).
2

Under the PRA, federal agencies must get OMB approval for each collection of information they conduct,
sponsor, or require. “Collection of information” means agency request or requirements to submit reports,
keep records, or provide information to a third party. 44 U.S.C. § 3502(3); 5 CFR § 1320.3(c).

October 2017

The Dodd-Frank Wall Street Reform and Consumer Protection Act of 2010 (“Dodd-Frank
Act”) 3 substantially changed the federal legal framework for financial services providers.
Among the changes, the Dodd-Frank Act transferred rulemaking authority for a number of
consumer financial protection laws from seven Federal agencies, including the FTC, to the
Bureau of Consumer Financial Protection (“CFPB”) as of July 21, 2011. This transfer to the
CFPB included most provisions of Subtitle A of Title V of the GLB Act, with respect to
financial institutions described in Section 504 of the GLB Act. Pursuant to the GLB Act, only
the FTC retains rulemaking authority for its GLB Privacy Rule, 16 CFR § 313, for motor vehicle
dealers predominantly engaged in the sale and servicing of motor vehicles, the leasing and
servicing of motor vehicles, or both. The CFPB implemented its own regulations to enforce the
Dodd-Frank provisions, including Privacy of Consumer Financial Information (Regulation P), 12
CFR § 1016.
On December 4, 2015, Congress amended the GLB Act as part of the Fixing America’s
Surface Transportation Act (FAST Act). This amendment, titled Eliminate Privacy Notice
Confusion (FAST Act, Public Law 114094, section 75001) added new GLB Act section 503(f).
This subsection provides an exception under which financial institutions that meet certain
conditions are not required to provide annual privacy notices to customers. Section 503(f)
requires that to qualify for this exception, a financial institution must not share nonpublic
personal information about customers except as described in certain statutory exceptions, under
which sharing does not trigger a customer’s statutory right to opt out of the sharing. In addition,
section 503(f)(2) requires that the financial institution must not have changed its policies and
practices with regard to disclosing nonpublic personal information from those that the institution
disclosed in the most recent privacy notice the customer received.
Contemporaneous with the issuance of Regulation P, the CFPB and FTC each have
previously submitted to OMB, and received its approval for, the agencies’ respective burden
estimates reflecting their overlapping enforcement jurisdiction. The FTC supplemented its
estimates for the enforcement authority exclusive to it regarding the class of motor vehicle
dealers noted above. Following the preliminary background information, the discussion in
response to Specification #12 below continues that analytical framework with appropriate
updates reflecting the changes to the statute under the FAST Act.
(3)

Information Technology

The Rule gives explicit examples of electronic options that financial institutions may use
to transmit the privacy and opt-out notices required by the Rule. See, e.g., 16 CFR § 313.9(b),
(c), (e). The FTC, together with the other federal financial agencies, adopted a model privacy
form that financial institutions may rely on as a safe harbor to provide disclosures under each
agency’s GLB privacy rules. The model privacy form was available for use beginning in
January 2010 and remains the only safe harbor currently available for compliance with such
privacy rules. 74 Fed. Reg. 62,890 (Dec. 1, 2009).
In order to ease the burden on entities that wanted to adopt the new model privacy form,
3

Public Law 111–203, 124 Stat. 1376 (2010).

October 2017

the agencies developed an “Online Form Builder” that an entity can download and use to
develop and print customized versions of a model consumer privacy notice. The Online Form
Builder is available with several options. Easy-to-follow instructions for the form builder will
guide an institution to select the version of the model form that fits its practices, such as whether
the institution provides an opt-out for consumers. The agencies announced the availability of
this tool, which can be found at https://www.ftc.gov/news-events/press-releases/2010/04/federalregulators-release-model-consumer-privacy-notice-online.
These electronic options help minimize the burden and cost of the Rule’s information
collection requirements for financial institutions subject to the Rule, and are consistent with the
objectives of the Government Paperwork Elimination Act. See Pub. L. 105-277, Div. C, Title
XVII, 112 Stat. 2681, 2681-749, reprinted in 44 U.S.C. § 3504 note.
(4)

Efforts to Identify Duplication

Any inconsistent state notice requirement would be preempted by federal law unless it
provided greater protection. 15 U.S.C. § 6807. Further, the Rule provides, as required under 15
U.S.C. § 6803(c)(4), that the financial institution’s initial and annual notices include any
disclosures required under Section 603(d)(2)(A)(iii) of the Fair Credit Reporting Act, 15 U.S.C.
§ 1681a(d)(2)(A)(iii), thereby incorporating, but not duplicating, a pre-existing disclosure
obligation to consumers.
(5)

Efforts to Minimize Small Organization Burden

The Commission drafted the Rule to minimize the compliance burden as much as
possible. As noted above, the notice requirements are expressly mandated by the GLB Act. The
Rule implements these requirements by providing guidance on the contents of such notices while
affording small businesses (and all other regulated businesses) some flexibility in choosing the
means to disseminate such notices. For example, the required notices may, depending upon the
circumstances, be disclosed by hand-delivery, conventional, or electronic mail. 16 CFR
§ 313.9(b)(1).
The GLBA Rule also gives regulated parties clear guidance on the contents of the
required notices. This guidance, staff believes, will help eliminate much of the administrative
and legal costs that might be incurred by businesses seeking to determine what must be included
in a notice in order to comply with the Rule. Finally, as also noted above, the agencies
developed an “Online Form Builder” to further ease the burden on regulated parties, which
affected entities can download and use to develop and print customized versions of a model
consumer privacy notice.
(6)

Consequences of Conducting Collection Less Frequently

While the Rule allows some flexibility in the means of disseminating the required notices,
the frequency of “collection” is set by the statutory language of the GLB Act. See Sections
502(a) - (b), 503(a) of the GLB Act.

October 2017

(7)

Circumstances Requiring Collection Inconsistent With Guidelines

The collection of information in the Rule is consistent with all applicable guidelines
contained in 5 CFR § 1320.5(d)(2).
(8)

Public Comments/Consultation Outside the Agency

The FTC sought public comment on its request to OMB for a three-year extension of the
current PRA clearance for the information collection aspects of the Rule, as required by 5 CFR §
1320.8(d). See 82 Fed. Reg. 31,604 (July 7, 2017). No comments were received. The FTC is
providing a second opportunity for public comment while seeking OMB approval to extend the
existing PRA clearance for the Rule.
(9)

Payments or Gifts to Respondents
Not applicable.

(10) & (11)

Assurances of Confidentiality/Matters of a Sensitive Nature

The requirements for which the Commission seeks renewed OMB clearance do not
involve disclosure of confidential respondent or customer information but, rather, the disclosure
of financial institutions’ practices regarding collection and sharing of consumer and customer
nonpublic personal information. This is done with a view toward safeguarding consumer
privacy and/or enhancing their understanding of what nonpublic personal information
respondents may share with other institutions.
(12)

Estimated Annual Hours Burden
Estimated annual hours burden: 1,725,300 annual hours (FTC portion) 4

As noted in previous burden estimates for the Privacy Rule, determining the PRA burden
of the Rule’s disclosure requirements is very difficult because of the highly diverse group of
affected entities, consisting of financial institutions not regulated by a Federal financial regulatory
agency. See 15 U.S.C. 6805 (committing to the Commission’s jurisdiction entities that are not
specifically subject to another agency’s jurisdiction).
The burden estimates represent the FTC staff’s best assessment, based on its knowledge
and expertise relating to the financial institutions subject to the Commission’s jurisdiction under
this law. To derive these estimates, staff considered the wide variations in covered entities. In
some instances, covered entities may make the required disclosures in the ordinary course of
business, apart from the Privacy Rule. In addition, some entities may use highly automated
means to provide the required disclosures, while others may rely on methods requiring more
manual effort. The burden estimates shown below include the time that may be necessary to train

This figure corrects the estimate set forth in the published 30-Day FR Notice, which incorrectly stated
1,725,600 as the annual hours burden.

October 2017

staff to comply with the regulations. These figures are averages based on staff’s best estimate of
the burden incurred over the broad spectrum of covered entities.
Staff estimates that the number of entities each year that will address the Privacy Rule for
the first time will be 5,000 and the number of established entities already familiar with the Rule
will be 100,000. While the number of established entities familiar with the Rule would
theoretically increase each year with the addition of new entrants, staff retains its estimate of
established entities for each successive year given that a number of the established entities will
close in any given year, and also given the difficulty of establishing a more precise estimate.
Staff believes that the usage of the model privacy form and the availability of the form
builder simplify and automate much of the work associated with creating the disclosure
documents for new entrants. Staff thus estimates 1 hour of clerical time and 2 hours of
professional/technical time per new entrant.
For established entities, staff similarly believes that the usage of the model privacy form
and the availability of the Online Form Builder reduces the time associated with the modification
of the notices. Staff thus estimates 7 hours of clerical time and 3 hours of professional/technical
time per respondent. Staff estimates that no more than 1% of the estimated 100,000 establishedentity respondents would make additional changes to privacy policies at any time other than the
occasion of the annual notice. Furthermore, under Section 503(f), businesses who have not
changed their privacy notice since the last notice sent and who do not share information with nonaffiliated third parties outside of certain statutory exceptions do not have to issue annual notices
to their customers. Staff estimates that at least 80% of businesses covered by the rule will,
accordingly, not be required to issue annual notices.
The complete burden estimates for new entrants and established entities are detailed in the
charts below.
Start-up hours and labor costs for all new entrants (Table IA):
Event

Hourly wage and labor category*

Reviewing internal policies and
developing GLB Actimplementing instructions **.

$42.76 Professional/Technical

Creating disclosure document or
electronic disclosure (including
initial, annual, and opt-out
disclosures).

Disseminating initial disclosure
(including opt- out notices).

Hours per
respondent

Approx.
number of
respondent

Approx. total
annual hrs.

Approx. total
labor costs

5,000

100,000

$17.91 Clerical

5,000

89,550

$42.76 Professional/Technical

5,000

10,000

427,600

$17.91 Clerical

5,000

75,000

1,343,250

$42.76 Professional/Technical

5,000

50,000

2,138,000

240,000

Total

October 2017

$4,276,000

$8,274,400

https://www.bls.gov/news.release/pdf/ocwage.pdf. Labor cost totals reflect solely that of the commercial entities affected. Staff estimates that the
time required of consumers to respond affirmatively to respondents’ opt-out programs (be it manually or electronically) would be minimal.
**Reviewing instructions includes all efforts performed by or for the respondent to: determine whether and to what extent the respondent is
covered by an agency collection of information, understand the nature of the request, and determine the appropriate response (including the creation
and dissemination of documents and/or electronic disclosures).

Burden hours and costs for all established entities (Table IB):
Burden for established entities already familiar with the Rule predictably would be less
than for startup entities because start-up costs, such as crafting a privacy policy, are generally
one-time costs and have already been incurred. Staff's best estimate of the average burden for
these entities is as follows:

Event

Hourly wage and labor category*

Hours per
respondent

Approx.
number of
respondents
**

Approx. total
annual hrs.

Approx. total
labor costs

Reviewing GLB Actimplementing policies and
practices.

$42.76 Professional/Technical

100,000

400,000

$17,104,000

Disseminating initial notices to
new customers

$17.91 Clerical

100,000

1,500,000

26,865,000

Disseminating annual disclosure
to pre-existing customers.

$17.91 Clerical

14,000

210,000

3,761,100

$42.76 Professional/Technical

14,000

70,000

2,993,200

$17.91 Clerical

1,000

7,000

125,370

$42.76 Professional/Technical

1,000

3,000

128,280

Changes to privacy policies and
related disclosures.

Total

2,190,000

$50,976,950

*Staff calculated labor costs by applying appropriate hourly cost figures to burden hours. The hourly rates used were based on mean wages for
Financial Examiners and for Office and Administrative Support, corresponding to professional/technical time (e.g., compliance evaluation and/or planning,
designing and producing notices, reviewing and updating information systems), and clerical time (e.g., reproduction tasks, filing, and, where
applicable to the given event, typing or mailing) respectively. See BLS Occupational Employment and Wages, May 2016, Table 1 at
http://www.bls.gov/news.release/pdf/ocwage.pdf. Labor cost totals reflect solely that of the a f f e c t e d commercial entities. Consumers have a
continuing right to opt out, as well as a right to revoke their opt-out at any time. When a respondent changes its information sharing practices,
consumers are again given the opportunity to opt out. Again, staff assumes that the time required of consumers to respond affirmatively to respondents'
opt-out programs (be it manually or electronically) would be minimal.
**The estimate of respondents which are required to disseminate annual notices is based on the following assumptions: (1) 100,000 e s t a b l i s h e d
respondents, approximately 70% of whom maintain customer relationships exceeding one year, (2) no more than 20% (14,000) of whom have made
changes to their policies and share nonpublic information outside of the statutory exceptions, and therefore are required to provide annual notices under
GLB Act 503(f). See CFPB, Proposed Rule, 81 FR 44801, 44809 (July 11, 2016); (3) and no more than 1% (1 ,000) of whom make additional c hanges
to privacy policies at any time other than the occasion of the annual notice; and (4) such changes will occur no more often than once per year.

As calculated above, the total annual PRA burden hours and labor costs for all affected entities in
a given year would be 2,430,000 hours and $59,251,350, respectively.
The FTC now carves out from these overall figures the burden hours and labor costs
associated with motor vehicle dealers. This is because the CFPB does not enforce the Privacy
Rule for those types of entities. We estimate the following:
October 2017

Annual start-up hours and labor costs for new motor vehicle dealer entrants only (Table
IIA):
Event

Hourly wage and labor category

Hours per
respondent

Approx.
number of
respondents
(Table IA

Approx.
total annual
hrs.

Approx. total
labor costs

inputs x 0.42)
Reviewing internal policies and
developing GLB Actimplementing instructions
**.

$42.76 Professional/Technical

Creating disclosure document or
electronic disclosure
(including initial, annual,
and opt -out disclosures).

$17.91 Clerical

Disseminating initial disclosure
(including opt- out notices).

$17.91 Clerical

$42.76 Professional/Technical

**
2,100

42,000

$21,795,920

2,100

37,611

2,100

4,200

179,592

2,100

31,500

564,165

2,100

21,000

897,960

Total

100,800

$3,475,248

**Multiply the number of respondents from the comparable table above on all new entrants by the following allocation (43,708/105,000) = 0.42. The
number in the denominator represents the total of the FTC’s existing Privacy Rule estimates for new entrants (5,000) and established entities (100,000).
The numerator represents an estimate of motor vehicle respondents. For this category, Commission staff relied on the following industry estimates: 16,708
new car dealers per National Automobile Dealers Association data (2016) and 12,000 independent/used car dealers who do not extend credit directly to
consumers without routinely assigning the credit to third-parties per National Independent Automobile Dealers Association data (2012), respectively, in
addition to 15,000 dealers of other motor vehicles (motorcycles, boats, other recreational vehicles) per the 2012 economic census, which are also covered
within the definition of “motor vehicle dealer” under section 1029(a) of the Dodd-Frank Act.

Annual burden hours and labor costs for established motor vehicle dealers only (Table IIB):
Event

Hourly wage and labor category*

Hours per
respondent

Approx.
number of
respondents**
(Table IB

Approx.
total annual
hrs.

Approx. total
labor costs

inputs x 0.42)
Reviewing GLB Actimplementing policies and
practices.

$42.76 Professional/Technical

42,000

168,000

$7,183,680

Disseminating initial notices to
new customers.

$17.91 Clerical

42,000

630,000

11,283,300

Disseminating annual disclosure.

$17.91 Clerical

5,880

88,200

1,579,662

$42.76 Professional/Technical

5,880

29,400

1,257,144

$17.91 Clerical

420

2,940

52,655

$42.76 Professional/Technical.

420

1,260

53,878

Changes to privacy policies and
related disclosures.

Total

October 2017

920,400

$21,410,319

The FTC’s portion of the annual hourly burden would be 1,021,200 + ((2,430,000 – 1,021,600) /
2) = 1,725,300 annual hours. The FTC’s portion of the annual cost burden would be $24,885,567
+ ($59,251,350– 24,885,567) / 2) = $42,068,459. 5
(13)

Estimated Capital/Other Non-Labor Costs Burden

Staff believes that capital or other non-labor costs associated with the document requests
are minimal. Covered entities will already be equipped to provide written notices (e.g.,
computers with word processing programs, copying machines, mailing capabilities). Most likely,
only entities that already have online capabilities will offer consumers the choice to receive
notices via electronic format. As such, these entities will already be equipped with the computer
equipment and software necessary to disseminate the required disclosures via electronic means.
(14) Estimate of Cost to Federal Government
Over the course of the three-year clearance period sought, enforcing and administering
GLB Privacy Rule will require the cumulative expenditure per year of approximately five
attorney/investigator work years (approximately $72,000 per employee) for a total of $360,000
in labor costs. In addition, staff estimates that associated travel costs, clerical, and other support
services will total approximately $20,000 per year. Thus, the annualized approximate cost to the
Commission is $380,000.
(15)

Program Changes or Adjustments

Staff has slightly adjusted upward the FTC portion of the annual burden costs from
1,515,050 (2014) to 1,725,300 annual hours (2017).
(16)

Statistical Use of Information

There are no plans to publish information associated with the Rule’s requirements for
statistical use.
(17)

Display of Expiration Date for OMB Approval
Not applicable.

(18)

Exceptions to Certification
Not applicable.

This figure corrects the estimate set forth in the published 30-Day FR Notice, which incorrectly stated
$42,081,287 as the annual cost burden.

October 2017

File Type	application/pdf
File Title	GLB '11 SS FIN_mtd.wpd
Author	ggreenfield
File Modified	2017-10-17
File Created	2017-10-17